Thursday, June 29, 2017

Complex Petya-Like Ransomware Outbreak Worse than WannaCry | Threatpost | The first stop for security news

Join Kaspersky Lab and Comae Technologies Thursday June 29, 2017
at 10 a.m. Eastern time for a webinar “The Inside Story of the
Petya/ExPetr Ransomware.” Click here to attend.






To νέο ransomware που έχει κάνει από χθες αισθητή την παρουσία του είναι χειρότερο από το #WannaCry
https://kas.pr/f7iw #nomoreransom #Petya #NotPetya







The attackers behind today’s global ransomware outbreak
are spreading the malware using a modified version of the leaked NSA
EternalBlue exploit and two Windows utilities to move laterally on local
networks, adding layers of complexity to this attack to where it could
dwarf WannaCry in short order.

Unlike WannaCry, this new ransomware sample contains no killswitch
and is burrowing through corporate networks and endpoints, forcing
workers at a number of locations to pull their machines from the
internet.


Critical industries and services have been affected since the attack
began this morning in Russia, Ukraine and then throughout Europe,
including the radiation monitoring station
for the crippled Chernobyl nuclear power plant and pharmaceutical giant
Merck and Co.’s MSD operation in the United Kingdom. This augments a
growing list of victims that also includes Danish shipping giants
Maersk, Ukraine’s central bank, the country’s Borispol Airport in Kiev
and dozens of other victims there, along with SaintGobain, a leading
manufacturer in France and Russian oil company Rosneft and steel
manufacturer Evraz.


Complicating matters is the fact German email provider Posteo, which
hosts the email address provided in the ransom note,
wowsmith123456@posteo[.]net has shut down the attacker’s account.
Victims are being advised not to pay because there is no way for the
attacker to deliver the decryption key even if the $300 demand in
Bitcoin is arranged.




“There is no killswitch as of yet, and reports say the ransom email
is invalid so paying up is not recommended,” said researcher Sean Dillon
of RiskSense.


The ransomware behaves similarly to a year-old strain called Petya, which encrypts a computer’s Master File Table
along with a number of file types. Experts are divided on whether this
is Petya, a variant, or a knock-off, but that matters little to victims
worldwide.


“This appears to be a complex attack which involves several attack
vectors,” Kaspersky Lab said in a statement. The company published its analysis of the attack this afternoon.


The gravity of this attack is multiplied by the fact that even
servers patched against the SMBv1 vulnerability exploited by EternalBlue
can be successfully attacked, provided there is at least one Windows
server on the network vulnerable to the flaw patched in March in MS17-010.


The attackers have built in the capability to infect patched local
machines using the PSEXEC Windows SysInternals utility to carry out a
pass-the-hash attack. Some researchers have also documented usage of the
Windows Management Instrumentation (WMIC) command line scripting
interface to spread the ransomware locally. Organizations are being
advised to disable both utilities and apply MS17-010 if they haven’t
done so already.


“If I run the attack on my machine and I’m a domain admin, it uses my
credentials to authenticate to other machines on the network,” said
Matthew Hickey, founder of My Hacker House. “In an enterprise
environment, if it gets one privileged user, one domain admin, this will
spread across the network even to patched machines.”


Unlike WannaCry, this attack does not have an internet-facing worming
component, and only scans internal subnets looking for other machines
to infect.


“I think this is actually worse than WannaCry from that perspective
alone,” said Jake Williams, founder of Rendition Infosec. Williams said
that this version of EternalBlue has been “cleaned up,” and that it’s
not a direct copy-and-paste of the original leaked by the ShadowBrokers in April along with the Fuzzbunch platform. Once a server is compromised by EternalBlue, the attacker is in as a system user.


“You’re basically in God mode on the machine,” Williams said. “From
there, you can take the local admin account and PSEXEC from there to
another machine if the machines share the same credentials (which would
have been set up by an admin). If they’re the same, you’re going to be
successful. It passes the authentication hash and the attacker can begin
pivoting around the network, even to patched machines. Some thought
went into this and how to improve on WannaCry’s distribution method.”


Researchers at Cisco, also confirmed by Kaspersky Lab, have identified a Ukrainian tax accounting package called MeDoc as a potential infection vector.
Both companies’ researchers said some infections could be linked to an
attack against MeDoc’s software update systems. Early reports also
suspected that some infections were spread via phishing emails with
infected Excel documents exploiting a CVE-2017-0199, a Microsoft Office/WordPad remote code execution vulnerability.


Experts such as Dillon and Hickey were concerned about this type of
virulent outbreak leveraging EternalBlue that did not include a
WannaCry-like killswitch. Hickey said a sample he examined arrived as a
DLL wrapped in crypto that also includes anti-analysis capabilities,
something that Williams confirmed.


“As soon as I saw MS17-010, I began banging the drum quite loudly
about exactly this type of incident,” Hickey said. “Even though it’s
been patched, it only takes one missing patch on a critical server that
will be the Achilles heel of a network.”


Avecto VP Andrew Avanessian said there may be copycat malware for the foreseeable future.


“Cyber criminals are taking a preexisting piece of malware and
changed some of the payload elements of it. With the release of
different hacking techniques from the NSA, nation-state hacking
capabilities are now in the hands of novice cybercriminals,” Avanessian
said.

Complex Petya-Like Ransomware Outbreak Worse than WannaCry | Threatpost | The first stop for security news